Viruses, worms, trojan horses, and other malicious code (referred to herein collectively as xe2x80x9cComputer Virusesxe2x80x9d) are one of the greatest threats to computers and computer networks. In the last ten years the number of known Computer Viruses has grown by at least 100 fold. Each day new Computer Viruses are generated and unleashed on the computing public. A danger associated with distributing items, such as executable files or documents, over a computer network is the risk of spreading a Computer Virus from one computer in the network to others. Non-networked, or stand-alone, computers are not immune from the threat of Computer Viruses. A Computer Virus can be spread to a stand-alone computer when a user inserts an infected diskette or when a user accesses infected files or web pages over the Internet.
Currently, methods and systems exist for scanning items, such as executable files and documents, for Computer Viruses. These methods and systems use software known as virus scanners, which are usually installed on the workstation where items are accessed or, in the case of some network environments, on the server where items are shared between users. Virus scanners generally fall into one of two categories: on-demand scanning and automatic scanning.
On-demand scanning is scanning done at the request of a user. The user issues a command to a virus scanner to scan certain items, and the scanner reports back to the user that the item was either free from Computer Viruses or that a Computer Virus was found. If the scanner finds a Computer Virus, the user is usually given a list of options, e.g., deleting the item, renaming the item, or repairing the item by removing the virus.
Automatic scanning is done by hooking the computer""s operating system so that whenever a user attempts to access an item, the virus scanner is activated and the item is automatically scanned. With automatic scanning, so long as the scanner does not detect a threat, such as a Computer Virus, the user is usually not aware that a scan has occurred. If a threat is found the user can usually select from the same list of options that are available for on-demand virus scanning.
Most on-demand and automatic virus scanners scan for Computer Viruses in two ways. First, the target item, i.e., the item to be scanned, is checked for known Computer Viruses. More than 30,000 Computer Viruses are presently known and new Computer Viruses are being discovered every day. In addition to checking for known Computer Viruses, most virus scanners also perform checks for virus-like behavior. A problem with current automatic and on-demand virus scanning is that the same items are usually re-scanned numerous times because users have no way of determining whether an item has been previously scanned. In an on-demand system, even if a user remembers that he previously scanned an item, he has no way of knowing if the item has been altered after it was last scanned. Thus, the safest option is to re-scan the item before re-opening it. The problem of redundant scanning is further exacerbated in systems that employ automatic virus scanning because the virus scanner, through the aid of operating system hooks, automatically scans all items before the user is allowed to access them. This results in the same items being rescanned every time they are accessed, even if they have not been altered since they were last scanned.
As the number of known Computer Viruses increases, the amount of time it takes to scan an item will increase. In the near future, the time required to re-scan items will become prohibitive. Moreover, as new Computer Viruses are detected, virus scanners need to be updated. In some cases, it is necessary to update virus scanners on a daily basis. Because present virus scanners typically reside on each computer in a network, it is often a time consuming task to update all virus scanners within a network. And often, some computers in the network do not receive the most recent version of the virus scanning software.
It is an object of the present invention to create a xe2x80x9ctrustedxe2x80x9d environment inside a network or a computer. Items inside the trusted environment are certified to be free from Computer Viruses so that these items may be used without rescanning. A further object of the present invention is to provide a system and method for allowing virus scanning to be done within a computer network by a central virus scanner. Central virus scanning would greatly facilitate the updating of virus scanning software within a computer network. Central scanning would also allow for a system where the virus scanning is performed on a fast computer even though the items that may carry Computer Viruses are being accessed by slow computers. This would allow slow computers within a network to have the same level of Computer Virus protection as faster computers within the network.
The present invention is directed at a method and system for identifying items after they have been scanned by a virus scanner and for confirming that an item has been previously scanned for Computer Viruses and has not been altered since it was scanned. The present invention would substantially reduce the number of times an item is scanned. Rather then re-scanning an item each time it is accessed, a user accessing the item would need only to check that the item had been scanned previously and that the item had not been altered since it was scanned. The present invention would also enable virus scanning to be done centrally within an enterprise network. Moreover, it would allow for a system wherein an item is scanned once when it enters into an enterprise network but, so long as the item is not tampered with, is not re-scanned upon access by users within the network.
In one embodiment, the present invention would be used in an enterprise network where all users and virus scanners are authenticated by a central Certificate Authority (xe2x80x9cCAxe2x80x9d). The CA would use encryption technology to authenticate the virus scanners and the users within the network, and it would assign a public/private key pair to each user and virus scanner. The CA would be responsible for distributing the users"" and virus scanners"" public keys to the other users and virus scanners within the network. Thus, a level of trust between the users and the virus scanners within the network would exist, and the virus scanners would be able to create digital signatures that could be used to sign items after they are scanned. The network could also comprise a certificate database that would contain certificates for items that have been scanned by trusted virus scanners. The trusted virus scanners would have the ability to create certificates, and the certificates could contain information about whether a Computer Virus was found. In a preferred embodiment, the trusted virus scanners would have the ability to generate and append a unique identifier to each item that it scans. This unique identifier would function as a link between the certificate and the item, i.e., it would serve as an aid in retrieving the certificate for the item from the certificate database.
In the environment described above, the present invention would function as follows: When an item first enters the computer network a virus scanner scans the item for the presence of a Computer Virus. After verifying that the item is clean, i.e., does not contain a Computer Virus, a Globally Unique Identifier (xe2x80x9cGUIDxe2x80x9d) is generated and attached to the item. At the same time, a certificate that positively identifies the clean item and the scanner that performed the scan is generated. The GUID is used as a key to locate the certificate, which will be stored in a certificate database. The virus scanner then digitally signs the certificate, the GUID, and the original item with a cryptographic method so that if the certificate, the GUID, or the original item is subsequently altered, others would be aware of this fact. The signed certificate is then sent to a certificate database that can be sorted by GUID.
When the item is later accessed, it is checked for a GUID. If one is present, it is used to access a signed certificate from the certificate database. The signature is checked to verify that the certificate, the GUID, or the original item has not been altered. If the signature is good, i.e., verified, the user is allowed to access the item without re-scanning it. If the signature cannot be verified, the item is re-scanned by the virus scanner, a new GUID and certificate are generated, and the new GUID is appended to the item. The item with the new GUID appended thereto and the certificate are then digitally signed by the virus scanner. The signed certificate is then sent to the certificate database.
If, when a user attempts to access the item, no GUID is detected or a signed certificate cannot be located, the item will be treated as if it were being accessed for the first time and the procedure for first-time item access, as described above, will be followed, i.e., the item will be scanned, a certificate and GUID will be generated, the GUID will be attached to the original item, and the original item, with the attached GUID, and the certificate will be signed by the virus scanner.
Whenever an item is copied, moved, mailed, sent by FTP, or replicated, an operating system hook will move or copy the certificate to a location where it can be accessed the next time a user tries to access the item. If the item is moved to another trusted system that uses a different certificate database, the certificate could also be copied by the operating system hook to a certificate database on the target system. Of course, a trust relationship between the two systems must first be established, and the two systems must share one or more communication means that allow passing of objects with attached GUIDs. The communication means could be a special, direct connection or a public transport, such as the Internet. So long as the two systems trust each other, and trust each other""s virus scanners, one system could use the others certificates to ensure that an item has been previously scanned for Computer Viruses by a trusted virus scanner.